| Previous | Contents | Index |
For LJK/Security test (VMS,ANNOUNCE,CONTAINS)2 the value specified in the limit is the system use notification to be displayed to authorized users on login. This means a violation will be reported for any Node where this notification is not provided. An exemption might be present allowing a particular Node to skip this message if it is exclusively for public use. Questions that might be asked about such an exemption include:
For LJK/Security test (DISK, FILEPROT, ABSOLUTHI)3 the value specified in the limit is (SYSTEM:RWED,OWNER:RWED,GROUP:RE,WORLD), meaning a violation will be reported for each file which has a more permissive protection mask.
For LJK/Security test (DISK, FILEPROT,PERCENTHI)4 and selector READ, the limit specified has a value of 10 meaning a violation will be reported for each file to which more than 10 percent of users have read access.
Often exemptions will be used for those two tests with respective values of (SYSTEM:RWED, OWNER:RWED,GROUP:RE,WORLD:RE) and 100 percent for a VMS system-wide login command procedure, since that must be executed on behalf of each user at login. Questions that might be asked about such exemptions include:
For LJK/Security test (TERM, TYPEAHEAD, PROHIBITED)5 the value specified in the limit is True, meaning a violation will be reported for each terminal over which logins are allowed by VMS. A typical policy will include exemptions for each terminal over which logins are allowed by site rules. Questions that might be asked about such an exemption include:
For LJK/Security test (UAF, PRIVLEVEL, ABSOLUTHI)6 the value specified in the limit is Category-Normal, meaning a violation will be reported for each username that has privileges at a higher level. A typical policy will include an exemption allowing username SYSTEM to have privileges at the level Category-All. Separate exemptions would be present for individuals assigned to system management duties.
Questions that might be asked about such an exemption include:
2 (VMS,ANNOUNCE,CONTAINS) is the LJK/Security notation for the test of text which must be present in the message that is displayed to all users before login.3 (DISK, FILEPROT, ABSOLUTHI) is the LJK/Security notation for the test that no file has an overly permissive protection mask.4 (DISK, FILEPROT,PERCENTHI) is the LJK/Security notation for the test that no file can be accessed in the selector-specified mode by more than a certain percentage of the usernames on the system, regardless of whether access is granted by protection mask or access control list.5 (TERM, TYPEAHEAD, PROHIBITED) is the LJK/Security notation for the test that asynchronous logins cannot be done from terminal lines.6 (UAF, PRIVLEVEL, ABSOLUTHI) is the LJK/Security notation for the test that no username has privileges above a particular level (typically called "category" in the VMS documentation). |
This appendix tells how to use LJK/Security to comply with US Department of Defense Instruction 8500.2 published February 6, 2003.
Within this appendix, specialized terms defined in DoD Instruction 8500.2 are presented in italic text, while specialized terms defined in the Glossary of the LJK/Security Reference Manual are presented in boldface text. The distinction is important because some words like "policy" are defined (differently) in both places. |
As a software tool, LJK/Security can only measure those security
controls that can be tested under a running copy of the VMS
(OpenVMS) operating system. High speed scanning of protections on all
disk files is easily handled by LJK/Security. Determining whether the
3rd shift operator received proper personnel screening before being
hired is totally beyond the scope of LJK/Security.
M.2 An Easy Start for DoD Instruction 8500.2 Assessments
If you are new to LJK/Security the vast array of capabilities can
seem daunting. To get some quick results, use the
following steps.
M.2.1 Setting Up the Environment
$ SET DEFAULT SYS$SYSTEM $ MCR AUTHORIZE GRANT/IDENTIFIER LJK$SECURITY_ALL <your-user-name> |
$ LJK/SECURITY CREATE POLICY MY_8500_2_POLICY $ @LJK$SECURITY_EXAMPLES:POLICY_NULL.COM MY_8500_2_POLICY |
If you are not a touch typist, you can open this document on screen and copy and paste many of the commands as you need them. |
$ @LJK$SECURITY_EXAMPLES:POLICY_DODI_8500_2_MACI_CLASSIFIED.COM MY_8500_2_POLICY |
$ @LJK$SECURITY_EXAMPLES:POLICY_DODI_8500_2_MACII_CLASSIFIED.COM MY_8500_2_POLICY |
$ @LJK$SECURITY_EXAMPLES:POLICY_DODI_8500_2_MACIII_CLASSIFIED.COM MY_8500_2_POLICY |
$ @LJK$SECURITY_EXAMPLES:POLICY_DODI_8500_2_MACI_SENSITIVE.COM MY_8500_2_POLICY |
$ @LJK$SECURITY_EXAMPLES:POLICY_DODI_8500_2_MACII_SENSITIVE.COM MY_8500_2_POLICY |
$ @LJK$SECURITY_EXAMPLES:POLICY_DODI_8500_2_MACIII_SENSITIVE.COM MY_8500_2_POLICY |
$ @LJK$SECURITY_EXAMPLES:POLICY_DODI_8500_2_MACI_PUBLIC.COM MY_8500_2_POLICY |
$ @LJK$SECURITY_EXAMPLES:POLICY_DODI_8500_2_MACII_PUBLIC.COM MY_8500_2_POLICY |
$ @LJK$SECURITY_EXAMPLES:POLICY_DODI_8500_2_MACIII_PUBLIC.COM MY_8500_2_POLICY |
$ DIRECTORY/FULL LJK$SECURITY_EXAMPLES:POLICY_VMS_SHA1_*.COM; |
$ @LJK$SECURITY_EXAMPLES:POLICY_VMS_SIMPLE_AXP_07_3_2.COM MY_8500_2_POLICY |
You can Copy and Paste portions of that command line, but be sure to specify the proper command procedure name for your version of VMS. |
$ LJK/SECURITY/NOSMG/INTERFACE=CHARACTER_CELL |
LJKS> CREATE ASSESSMENT MY_8500_2_ASSESSMENT LJKS> MODIFY ASSESSMENT MY_8500_2_ASSESSMENT/NODE=<this-node>/POLICY=MY_8500_2_POLICY |
LJKS> RUN MY_8500_2_ASSESSMENT /METHODS=QUICK |
LJKS> REPORT MY_8500_2_ASSESSMENT/STATUS_ONLY |
LJKS> REPORT MY_8500_2_ASSESSMENT/SUMMARY=COMMENTS/OUTPUT=8500_2_SUMMARY.TXT LJKS> REPORT MY_8500_2_ASSESSMENT/OUTPUT=8500_2_DETAILS.TXT |
LJKS> RUN MY_8500_2_ASSESSMENT |
LJKS> [Ctrl/Z] |
You can specify which conditions are actually acceptable by customizing
your policy. Then subsequent
assessment runs will produce a proper "management
by exception" report.
M.2.3 Choosing a User Interface
To customize your policy will take more interaction and be an ongoing activity as personnel and requirements change. You might want to use a different user interface. You have your choice of three
Use your choice of interface to add exemptions to your policy as follows
1 The person who grants privileges to usernames will probably be a separate person from the VMS system manager in any organization which fully implements "Separation of Duties" specified in DoDI 8500.2 control ECLP-1. It might be the person who sets up new user accounts, or someone else specially designated to deal with privileged accounts. |
M.3 Saving Time on ECMT Conformance Monitoring and Testing
Two of the DoD Instruction 8500.2 controls have a recursive
relationship to the overall document because they actually pertain to
occasions when compliance with other 8500.2 controls should be
verified:
DoD Instruction 8500.2 controls ECMT-2 and ECMT-1 require periodic unannounced in-depth monitoring at all Confidentiality Levels:
Conformance testing that includes periodic, unannounced in-depth monitoring and provides for specific penetration testing to ensure compliance with all vulnerability mitigation procedures such as the DoD IAVA or other DoD IA practices is planned, scheduled, conducted and independently validated. Testing is intended to ensure that the system's IA capabilities continue to provide adequate assurance against constantly evolving threats and vulnerabilities. |
Organizations following DoD Instruction 8500.2 can save considerable effort if the periodic conformance testing required for control ECMT-2 or ECMT-1 make use of exemptions prepared as part of the LJK/Security assessments run in support of the VIVM-1 Vulnerability Management control.
The technique described involves creating a LJK/Security policy for ECMT Conformance Monitoring using two different techniques:
A comprehensive vulnerability management process that includes the systematic identification and mitigation of software and hardware vulnerabilities is in place. Wherever system capabilities permit, mitigation is independently validated through inspection and automated vulnerability assessment or state management tools. Vulnerability assessment tools have been acquired, personnel have been appropriately trained, procedures have been developed, and regular internal and external assessments are conducted. For improved interoperability, preference is given to tools that express vulnerabilites in the Common Vulnerabilities and Exposures (CVE) naming convention and use the Open Vulnerability Assessment Language (OVAL) to test for the presence of vulnerabilities. |
As one considers the question of which controls should be subjected to that ongoing assessment, an ancillary question will arise about what effort is required for this continuous monitoring. There is no good reason to avoid continuous monitoring of a control if the effort required is minimal. By definition testing those controls that LJK/Security can test takes minimal effort, because the testing is automated. So for most VMS systems, testing controls related to the protection of every file on every disk once a week and other controls daily or hourly is quite reasonable. For special situations like warfighting systems it might be preferable to run that continuous monitoring only during a designated maintenance period, particularly if a realtime device must be manipulated by the VMS system with millisecond response times.
| Previous | Next | Contents | Index |